Skip to main content

LiteLLM CVE-2026-42271

| EUVDEUVD-2026-28507 HIGH
Command Injection (CWE-77)
2026-05-08 GitHub_M GHSA-v4p8-mg3p-g94g
8.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Added to CISA KEV
Jun 08, 2026 - 17:16 CISA
Patch available
May 08, 2026 - 05:01 EUVD
Source Code Evidence Fetched
May 08, 2026 - 04:32 vuln.today
Analysis Generated
May 08, 2026 - 04:32 vuln.today
CVSS changed
May 08, 2026 - 04:22 NVD
8.7 (HIGH)
CVE Published
May 08, 2026 - 03:35 nvd
HIGH 8.7

DescriptionCVE.org

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it - POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list - accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user - including holders of low-privilege internal-user keys - could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.

AnalysisAI

Remote command execution in LiteLLM proxy server versions 1.74.2 through 1.83.6 allows any authenticated user to execute arbitrary commands on the host system. Two MCP (Model Context Protocol) test endpoints accept stdio transport configurations including command, args, and env fields, then spawn the supplied command as a subprocess with proxy process privileges. Authentication with any valid API key, including low-privilege internal-user keys, bypasses intended PROXY_ADMIN role restrictions. Patch available in version 1.83.7. No CISA KEV listing or public exploit code identified at time of analysis, though EPSS scoring is not provided in available data.

Technical ContextAI

LiteLLM is an AI Gateway proxy server that provides OpenAI-compatible interfaces for various LLM APIs. The vulnerability affects MCP (Model Context Protocol) server testing functionality introduced in version 1.74.2. MCP uses stdio transport to communicate with external tools/servers, requiring command execution on the host. The POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list endpoints accept JSON configurations containing command, args, and env parameters for stdio transport. These endpoints lack proper authorization checks, validating only API key presence without verifying PROXY_ADMIN role membership. This represents CWE-77 (Command Injection) combined with an authorization bypass, where user-controlled input flows directly into subprocess.spawn() or equivalent system calls. The affected CPE is cpe:2.3:a:berriai:litellm:*:*:*:*:*:*:*:*, covering all deployment methods (pip package, Docker container).

RemediationAI

Upgrade to LiteLLM version 1.83.7 or later, which enforces PROXY_ADMIN role checks on both vulnerable endpoints. For pip installations, run 'pip install --upgrade litellm'. For Docker deployments, pull ghcr.io/berriai/litellm:v1.83.7-stable and verify image signature using cosign per vendor instructions at https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable. If immediate upgrade is not feasible, block POST requests to /mcp-rest/test/connection and /mcp-rest/test/tools/list at reverse proxy or API gateway level using URL path filtering. This workaround prevents exploitation but disables MCP server preview functionality. Additionally, audit all issued API keys and revoke unnecessary low-privilege internal-user keys to reduce attack surface. Review proxy process security context and consider running LiteLLM with reduced privileges or in isolated containers to limit blast radius. No additional code changes or configuration modifications required after upgrading to patched version.

CVE-2026-42208 CRITICAL POC
9.3 May 08

SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read an

CVE-2024-2952 CRITICAL POC
9.8 Apr 10

BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. Rated critical s

CVE-2026-40217 HIGH POC
8.8 Apr 10

Remote code execution in BerriAI LiteLLM (all versions through 2026-04-08) enables authenticated attackers to execute ar

CVE-2024-4888 HIGH POC
8.1 Jun 06

BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on t

CVE-2025-0330 HIGH POC
7.5 Mar 20

In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error oc

CVE-2024-9606 HIGH POC
7.5 Mar 20

In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerabi

CVE-2024-6587 HIGH POC
7.5 Sep 13

A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. Rated high severity (CVSS

CVE-2024-5225 HIGH POC
7.2 Jun 06

An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` en

CVE-2024-4889 HIGH POC
7.2 Jun 06

A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated

CVE-2024-5710 MEDIUM POC
6.5 Jun 27

berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. Rated med

CVE-2024-5751 CRITICAL
9.8 Jun 27

BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. Rated crit

CVE-2026-12795 MEDIUM POC
5.5 Jun 21

Missing authentication in LiteLLM's SSO Debug Flow exposes the `json.dumps` output of the `ui_sso.py` management endpoin

Vendor StatusVendor

Share

CVE-2026-42271 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy